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(54) Generation of repeatable cryptographic key based on varying parameters 



(57) A repeatable cryptographic key is generated 
based on varying parameters which represent physical 
measurements. Locations within a share table, which 
locations store valid and invalid cryptographic shares, 
are identified as a function of received varying parame- 
ters. The share table is configured such that locations 
which are expected to be identified by legitimate access 
attempts contain valid cryptographic shares, and loca- 
tions which are not expected to be identified by legiti- 
mate access attempts contain invalid cryptographic 
shares. The share table configuration may be modified 
based on prior history of legitimate access attempts. In 
various embodiments, the stored shares may be 
encrypted or compressed. A keystroke feature authenti- 
cation embodiment uses the inventive techniques to 
implement an authentication system which authenti- 
cates based on an entered password and the manner in 
which (e.g. keystroke dynamics) the keystroke is 
entered. Another embodiment uses the inventive tech- 
niques to protect sensitive database information which 
is accessible using DNA measurements. 
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Description - - , ■ ■ < . ■ ■ • ^ 

Field off the Invention 

[0001] The present invention relates generally to s 
computer security. More particularly, the present inven- 
tion relates to the generation and use of cryptographic 
keys for computer security applications. 

Background of the Invention w 

[0002] As computer use becomes more wide- 
spread, the problem of computer system security also 
becomes increasingly critical. The volume of informa- 
tion stored in computer systems is growing at a large w 
rate. Further, the accessibility of such information sys- 
tems is increasing due to the interconnection of compu- 
ter systems through networks such as the Internet. A 
major problem facing computer owners is how to protect 
computer systems, and the information they contain, 20 
from adversaries wishing to gain unauthorized access 
to stored information. 

[0003] One type of computer system security is 
referred to as authentication. Authentication refers to 
confirming the identity of a user prior to allowing access 25 
to a computer system. Most authentication schemes are 
based on the user's knowledge of a secret, called a 
password- A user must have knowledge of a secret 
password in order to gain access to the computer sys- 
tem. 30 
[0004] Another type of computer system security is 
referred to as encryption. Some, or all, of the informa- 
tion on the computer system may be encrypted such 
that the information is rendered unreadable or unusable 
until it is decrypted. Like authentication, decryption also 35 
relies on the knowledge of a secret, called a key, which 
is used to decrypt the information. Thus, even though a 
person may have access to information, that information 
may be useless to someone who does not possess the 
appropriate decryption key. 40 
[0005] These two security techniques of authentica- 
tion and encryption are related in many ways. For exam- 
ple, a secret known by a user may serve as both a 
password and a decryption key. Further, a computer 
system may employ both types of security techniques. 45 
[0006] With respect to authentication, textual pass- 
words have been, and remain, the primary means of 
authenticating users. However, passwords have been 
shown to be a relatively weak mechanism for authenti- 
cation. Studies have shown that users tend to choose so 
passwords that can be easily guessed by an exhaustive 
search of a relatively small subset of all possible pass- 
words. For example, in a study of 14,000 computer sys- 
tem passwords, it was found that almost 24% of the 
passwords could be found in a "dictionary" of only 3 x ss 
1 0 6 words. Considering the high speed at which a com- 
puter could generate and test 3 x 10 6 words, passwords 
are considered to be a weak form of computer security. 



[0007] One known- technique for strengthening 
passwords is to require not only that the correct pass- 
word be typed, but also that the user's keystroke fea- 
tures (e.g. duration of keystrokes and latency between 
keystrokes) match a predetermined stored model of 
expected keystroke features. This technique is effective 
against so-called online attacks in which an adversary is 
attempting to gain access to a computer system through 
the computer's authentication system. However, this 
technique is not effective against a so-called off-line 
attack, in which an adversary gains physical access to 
the computer's data, for example by taking physical pos- 
session of a laptop computer or by otherwise circum- 
venting the computer's authentication system. Once an 
adversary has physical access to computer information, 
the above descrfoed keystroke feature technique is inef- 
fective. Further, if an adversary gets physical access to 
a computer which allows access to the stored keystroke 
feature models, the models may leak sensitive informa- 
tion which would then make it easier for the adversary to 
determine actual user passwords. 
[0008] Other techniques exist which do not require 
the storage of such models in memory. For example, 
U.S. patent no. 5,680,460 describes a technique in 
which a user's fingerprint characteristics are measured 
and various filters are applied to the measurements to 
generate a key which can then be used to authenticate 
the user on a computer system. Another example is G.I. 
Davida, Y Frankel, and B.J. Matt. On Enabling Secure 
Applications Through Off-Line Biometric Identification, 
Proceedings of the 1998 IEEE Symposium on Security 
and Privacy, pp. 148-157, May 1998, in which error cor- 
recting parameters are used to decode biometric (e.g. 
iris scan) readings into a canonical form for a particular 
user. This canonical form may then be used to generate 
a key for authentication purposes. However, both of 
these techniques also suffer from the above described 
deficiency in that any compromise of the underlying sys- 
tem data (either the filters or the error correcting param- 
eters) will leak sensitive information which, in certain 
applications, would allow an adversary to more easily 
determine the user's authentication key. 

Summary of the Invention 

[0009] The present invention provides for the gen- 
eration of a repeatable cryptographic key based on 
potentially varying parameters which are received, for 
example, during a computer resource access attempt. 
The key is repeatable in that the same key may be gen- 
erated using different received parameters. In accord- 
ance with the invention, so-called cryptographic shares 
are retrieved from memory locations identified as a 
function of the parameters. The key may be determined 
from knowledge of a sufficient number of cryptographic 
shares. 

[001 0] In accordance with one embodiment, values 
of the received parameters are used to generate indices 
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into a so-called share table which stores valid and 
invalid cryptographic shares. Valid cryptographic shares 
(i.e., those which may be used to generate the key) are 
stored in memory locations whose indices are expected 
to be generated during legitimate access attempts. 
Invalid cryptographic shares (i.e., those which may not 
be used to generate the key) are stored in memory loca- 
tions whose indices are not expected to be identified 
during legitimate access attempts. Thus, the share table 
may be configured to take into account expected varia- 
tions in the received parameters. In accordance with 
one technique, valid shares may be periodically 
replaced with invalid shares (and vice versa) based on 
a history of access attempts and a change in expected 
parameter values. 

[0011] In various embodiments, the stored shares 
may be encrypted in various ways. In one embodiment 
the shares are encrypted using a value computed as a 
function of expected parameter values. In this embodi- 
ment, one encrypted share is stored and associated 
with each parameter. When a parameter is received 
during an access attempt, the associated stored 
encrypted share is retrieved from memory and an 
attempt to decrypt the share is made using a value com- 
puted as a function of the parameter value. Only if the 
computed value is the same as the value used to 
encrypt the share (i.e., the expected value) will a valid 
share be obtained. Otherwise, an invalid share will be 
obtained. In various embodiments, the cryptographic 
shares may be chosen so as to allow generation of the 
key even if some number of invalid shares are gener- 
ated, as long as a sufficient number of valid shares are 
generated. This embodiment is particularly advanta- 
geous when the number of possible parameter values is 
very large. This embodiment is described in further 
detail below in accordance with an embodiment of the 
invention in which the contents of a database may be 
decrypted using parameters representing measured 
DNA information. 

[0012] Various secret sharing schemes may be 
used to generate the cryptographic shares. In accord- 
ance with one embodiment of the invention, a so-called 
polynomial secret sharing scheme is used. In this 
embodiment, the secret key is the point where the poly- 
nomial crosses the y axis and the cryptographic shares 
are points on the polynomial- Knowledge of a sufficient 
number of points on the polynomial (i.e., cryptographic 
shares), allows for the determination of the polynomial, 
and thus determination of the key. These polynomial 
points may be stored in a straightforward manner by 
storing (x,y) pair values in the share table. Alternatively, 
in order to save memory space (at the expense of an 
increase in computational complexity) compressed 
shares may be stored in the share table. 
[001 3] In accordance with an advantageous 
embodiment of the invention, the inventive techniques 
are used to implement a keystroke feature authentica- 
tion system in which users are authenticated based on 



r > a combination of an entered-password and the manner- 
in which the password was typed. In accordance with 
this embodiment, a share table contains a row for each 
keystroke feature to be considered (e.g., duration of 

5 keypresses, latencies between keypresses). Upon 
receipt of a measured keystroke parameter, a function 
chooses one of two columns in the share table associ- 
ated with the parameter row, depending on a compari- 
son of the parameter with a predetermined threshold. A 

w history of legitimate authentications is kept. When a 
measured keystroke parameter consistently results in 
the function choosing one of the two columns, the asso- 
ciated keystroke feature is considers a distinguishing 
feature, and the other of the two columns in the share 

is table is updated to contain an invalid cryptographic 
share. Over .time, the share table is updated such that ... 
only share table entries which are expected to be 
accessed during future legitimate access attempts con- 
tain valid cryptographic shares, while the share table 

20 entries which are not expected to be accessed during a 
legitimate access attempt contain invalid cryptographic 
shares. In this manner, an illegitimate access attempt 
will retrieve invalid cryptographic shares from the share 
table such that it will not be possible to generate the 

25 cryptographic key. In accordance with another aspect of 
this embodiment, the shares stored in the share table 
are encrypted using the password as the decryption key 
in order to add additional security. 
[001 4] These and other advantages of the invention 

30 will be apparent to those of ordinary skill in the art by 
reference to the following detailed description and the 
accompanying drawings. 

Brief Description of the Drawings 

35 ' T.'ii 

[0015] 

Fig. 1 shows an exemplary share table; 
Fig. 2 illustrates an exemplary polynomial which 
40 may be used in conjunction with a polynomial 
secret sharing scheme; 

Rg. 3 illustrates a share table which stores com- 
pressed cryptographic shares; 
Rg. 4 illustrates a share table which stores 
45 encrypted cryptographic shares; 

Rg. 5 illustrates a share table in accordance with a 
keystroke features authentication embodiment of 
the invention; and 

Rg. 6 illustrates a history table in accordance with a 
so keystroke features authentication embodiment of 
the invention. 

Detailed Description 

55 [0016] The present invention provides for the gen- 
eration of a repeatable cryptographic key based on a set 
of potentially varying parameters. The cryptographic 
key is repeatable in that the same key is generated not- 
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-withstanding that the parameter, on which generation 
of the key is based, may vary from one generation of the 
key to the next. In an advantageous embodiment the 
parameters represent measurements of some physical 
characteristics of either a person or a thing. For exam- 
ple, one class of physical characteristics is biometric 
characteristics of a person. As used herein, the term 
biometric characteristics includes any measurable bio- 
logical, physiological, or biomechanical characteristics 
of a person. Such characteristics include, for example, 
fingerprint, iris, DNA, typing patterns, voice, blood, etc. 
Thus, for computer security applications of the present 
invention, any biometric characteristic, or combination 
of biometric characteristics, which could reasonably 
identify a particular person would be appropriate. 
Another class of physical characteristics are the charac : 
teristics of things (e.g. non-biological items). Such char- 
acteristics include, for example, chemical or molecular 
composition, etc. Although the following description 
describes the invention in terms of parameters repre- 
senting measurements of physical characteristics, it is 
to be understood that the invention is not limited to any 
particular type of parameters, but instead applies to any 
type of varying parameters. 

[0017] Actual measurement techniques will vary 
depending on the embodiment of the invention, and the 
details of particular measurement techniques are not 
the subject of this invention. It is the use of the physical 
measurements, once obtained, to generate a repeata- 
ble cryptographic key for use in computer security appli- 
cations that is the subject of this invention. Thus, we 
assume that the measurements have been made and 
that we are supplied with physical measurement param- 
eters, represented here as parameters: <h»te» # # •♦m- 
[001 8] It is expected that the measurements of the 
same physical characteristics of the same entity may 
vary from one measurement to the next This may be 
due to two factors. First, the measured physical charac- 
teristic itself may be dynamic. For example, if the meas- 
ured physical characteristic were the biometric 
characteristics of voice (e.g. pitch, amplitude) during the 
speaking of some word or phrase, it is expected that an 
individual's voice characteristics will not be exactly the 
same during repeated vocalizations of the same word or 
phrase. As such, the measured characteristics repre- 
sented as parameters fa, fa* * ^ be different 
even though the same person speaks the same word or 
phrase. Second, the measured physical characteristic 
itself may be static, but the measurement of the physical 
characteristic may be imprecise or incomplete. For 
example, a person's fingerprint is static but the results 
of different measurements of the same fingerprint may 
change slightly, due to imprecise measuring equipment 
or because of an incomplete sample. 
[001 9] One of the advantages of the present inven- 
tion is its ability to generate a repeatable cryptographic 
key in view of varying measurements. As a result, the 
invention may be used for various computer security 



■ v-.- applications. For example, as will- be described invfur- * 
ther detail below, in one embodiment the inventive tech- 
nique is used to authenticate computer system users 
based on particular keystroke features during entry of a 

5 password. A user must be authenticated even though 
his/her keystroke features will change slightly during 
multiple entries of the same password. The present 
invention will generate a repeatable key for a particular 
user if the keystroke feature measurements vary within 

10 certain tolerances, thus authenticating the user. 

[0020] In another embodiment (also discussed in 
further detail below) the invention may be used to pro- 
tect information in a sensitive database containing pri- 
vate information. For example, consider a database 

is which contains private information of convicted felons 
-.-> which is only meant to be used for legitimate criminal 
investigation purposes. For example, if a criminal is sus- 
pected of a crime the database record for only that par- 
ticular criminal should be accessible by investigators. 

20 As such, each record in the database is encrypted and 
may only be decrypted using a key which is generated 
using DNA measurements of the associated person. 
This is to assure that prior to accessing potentially pri- 
vate information about a person, the person's DNA has 

25 already been recovered from a crime scene, thus mak- 
ing the person a suspect in a crime. While a person's 
DNA is not dynamic, imprecise measurement tech- 
niques or imprecise samples may result in having 
incomplete DNA measurements. In accordance with the 

30 techniques of the present invention, a repeatable key to 
unlock the database records could be generated with 
this incomplete DNA information. 
[0021] In advantageous embodiments, the inven- 
tion may be implemented using a programmable com- 
as puter. Such a computer comprises a processor for 
executing computer program code stored in a memory 
which is accessible by the processor. As used herein, 
the term memory is used to refer to any computer read- 
able medium, including without limitation, random 

40 access memory (RAM), read only memory (ROM), 
magnetic disk, optical disk, and holographic memory. In 
an advantageous embodiment the computer program 
code is stored in a high speed memory, such as a RAM, 
which is connected to the computer processor. The 

45 computer program code required to implement the 
invention may be written in any well known computer 
language. Given the present description of the inven- 
tion, one of ordinary skill in the art to which the invention 
pertains could readily write the program code neces- 

so sary to implement the invention. The data structures 
described below (e.g. the share table) are also stored in 
memory. A user interacts with the computer using well 
known input/output devices and techniques (e.g. display 
screen, keyboard, mouse). Programmable computers of 

55 the type described herein are well known in the art and 
as such, further details are not required here. 
[0022] As described above, we will assume that 
measurements of some physical characteristic have 
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been taken and we are thus in possession of pararne — 

ters ^ ,<t> 2 , " " *$m> representing those physical charac- 
teristics. In one embodiment of the invention, a function 
f is applied to the parameters fa ,+2, • • • <f m , in order to 
generate a set of indices vi,^-* * m w m such that 5 

* •♦m.HYi'V* - * -^J- Ohe subscript 
m' is used for the parameters ($) to indicate that there 
need not be the same number of parameters (4>) and 
indices (y))- The indices Y1.V2. • "Vm are used to 
access a set of stored values, where at least some of w 
the stored values are so-called cryptographic shares of 
a secret sharing scheme. Secret sharing schemes and 
cryptographic shares will be described in further detail 
below. At this point, let it suffice to say that possession 
of a sufficient number of valid cryptographic shares of a 75 
secret sharing scheme, may be used to generate the 
repeatable key. In order to provide security, not all the 
stored values represent valid cryptograph' 0 shares. 
Instead, the particular values in the set of values which 
contain valid cryptographic shares are chosen to corre- 20 
spond to values of the indices • * • V m which are 
expected to be generated during a legitimate attempt to 
access the computer resource. The other values in the 
set (i.e.. those for which corresponding indices are not 
expected to be generated during a legitimate access 25 
attempt) do not contain valid cryptographic shares. As 
will be described in further detail below, a designer of 
the security system will be able to identify the indices 
which would be expected to be generated during a legit- 
imate access attempt. 30 
[0023] As an example, consider the physical meas- 
urement parameters Hte-Mu corresponding to 4 
measured keystroke features of a particular user during 
the typing of a password. Further, assume that the func- 
tion /. .when applied to these parameters, produces a 35 
set of indices, each in the range of 1-10. For example, 
the indices in the range of 1-10 may be a result of nor- 
malizing the latency measurements. Also, assume that 
the user has engaged in a training session during which 
the user typed the password five times. After applying 40 
the function r* to the parameters 4h.<M>3.*4 generated 
during the training session, the indices V1.V2.V3.V4 
were generated as follows: 

password entry 1 : yi .V2. V3.V4 = 1 .5.9,3 45 
password entry 2: vi,V2.V3«V4 = 2,6,9,3 
password entry 3: V1.V2-V3.V4 = 2,5,8,4 
password entry 4: yi ,y 2 . V3»V4 = 3,5,8,3 
password entry 5: v1.V2.V3.V4 = 1.6,7,3 



From this information, a security designer can conclude 
that expected values of the indices for this user are as 
follows: 



INDEX 


EXPECTED VALUES 


V1 


1,2.3 


V2 


5,6 


V3 


7.8,9 


V4 


3.4 



50 



[0024] The indices are used to select values from a 
data structure called a share table, so named because 
it contains cryptographic shares. An exemplary share 
table is shown in Fig. 1 .as table 100: The indices select 
values from the share table as follows. The first index ^ 
selects a value from the first row, the second index ^ 
selects a value from the second row, the third index ^ 
selects a value from the third row, and the fourth index 
y 4 selects a value from the fourth row. The value of the 
particular index determines the column from which the 
value is selected. Thus, using conventional 
{row r column) notation, given an index a value is 
selected from the share table 100 at location 
[0025] Based on the expected values found during 
the training session, the locations in the share table 100 
corresponding to the expected values for each of the 
indices will be set to contain valid cryptographic shares 
such that the repeatable key may be generated from 
those valid cryptographic shares. Those locations which 
do not correspond to the expected values for each of the 
indices will be set to contain values which are not valid 
cryptographic shares, called invalid cryptographic 
shares, such that the repeatable key may not be gener- 
ated from those values. In Fig. 1, locations in share 
table 100 which contain valid cryptographic shares are 
identified with a S and locations which contain invalid 
cryptographic shares are identified with a x. 
[0026] Secret sharing schemes will be described in 
further detail below. For purposes of the present exam- 
ple, assume that four valid cryptographic shares are 
required to generate the repeatable key. Also assume 
that on a particular access attempt the user types 
his/her password and the function f generates the fol- 
lowing indices based on measurements of the keystroke 
features: 

access attempt 1 : V1.V2.V3.V4 = 2,6,8,4 

Note that although this exact set of indices did not 
appear in any of the training sessions, each of the val- 
ues is an expected value for the corresponding index. 
As such, the indices correspond to locations in the 
share table 100 which contain valid cryptographic 
shares. More particularly, index ^ selects row 1, col- 
umn 2 from the share table, index y 2 selects row 2, col- 
umn 6 from the share table, index \p 3 selects row 3, 
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column 8 from the share table, and index \y 4 selects row 
4, column 4 from the share table. As can be seen from 
Fig. 1, each of these share table locations contains a 
valid cryptographic share as indicated by a As such, 
the correct repeatable key could be generated from the 
valid cryptographic shares and the user would be 
authenticated. 

[0027] Alternatively, assume that the user types 
his/her password and the function f generates the fol- 
lowing indices based on measurements of the keystroke 
features: 

access attempt 2: vi-yg^M^ = 2,7,5,4 

Note here that the index values for V2>V3 are not 
expected values for these indices and as such, the 
entries in the share table 100 corresponding to these 
indices (row 2, column 7 and row 3, column 5) contain x 
indicating an invalid cryptographic share. As such, the 
correct repeatable key could not be generated from 
these cryptographic shares and the user would not be 
authenticated. Further details of an advantageous key- 
stroke feature authentication embodiment of the inven- 
tion will be given below. 

[0028] According to one embodiment of the inven- 
tion, errors, or variations, in measured physical charac- 
teristics may also be tolerated by selecting share table 
locations which were not actually indexed by the set of 
indices generated by the function /. This error tolerance 
is advantageously accomplished by selecting share 
table locations which are in the vicinity of locations actu- 
ally indexed by the indices generated by the function f. 
For example, assume the share table 100 shown in Fig. 
1 and an embodiment in which four indices yi .^2-^3. MM 
are generated. If the repeatable key is not generated 
correctly by selecting shares from the share table loca- 
tions indexed by .^2.^3-^4- then the system may first 
attempt to vary the selection of a share table location 
associated with the first index 1^ by choosing, during 
two separate key generation attempts, the share table 
location on either side of the location indexed by y-j. If 
the generation of the repeatable key is unsuccessful, 
the system may then attempt to vary the selection of a 
share table location associated with the second index 
y 2 in a similar manner. These steps of varying the 
actual chosen share table location may continue for 
each of the indices. Of course, this process of varying 
the selection of share table locations may be extended 
in order to implement an appropriate security scheme 
for different embodiments of the invention. For example, 
during each key generation attempt, one or more share 
table locations may be chosen using this variation tech- 
nique. Further, the amount of variation allowed for each 
location may vary. As described above, the variation 
consists of one table location on either side of the actual 
indexed location. However, the variation may also con- 
sist of more than one table location on either side of the 
actual indexed location. Additionally, depending on the 



■ implementation, it may be appropriate to vary the selec- 
tion of a share table location for only certain of the indi- 
ces. Of course, many other variation techniques may be 
used and are contemplated by this description. 

5 [TJ029] Advantageously the invalid cryptographic 
shares in a share table should be chosen such that they 
cannot be readily recognized as invalid by an adversary 
who compromises the computer system data and gains 
access to the share table. In this way, the adversary 

10 would not be able to gain any information from the share 
table. Further, the values in a share table may be 
encrypted for further security. For example, as will be 
described in further detail below, in the keystroke fea- 
ture authentication embodiment, the values in the share 

15 table are encrypted with the user's actual password in 
order to provide additional security. — 
[0030] Thus, as can be seen, the techniques in 
accordance with the present invention allow a repeata- 
ble key to be generated notwithstanding variations in 

20 measured physical characteristics. The amount of vari- 
ation allowed is defined by the configuration of the share 
table as well as the error tolerance technique described 
above. 

[0031] As described above, a share table contains 

25 at least some valid cryptographic shares of a secret 
sharing scheme. There are various types of secret shar- 
ing schemes, and various ones of these schemes may 
be used to generate the cryptographic shares for stor- 
age in the share table. One type of secret sharing 

30 scheme is a polynomial secret sharing scheme, the 
details of which are described in A. Shamir, How To 
Share A Secret, Communications of the ACM 
22(1 1):612-613, November 1979, which is incorporated 
herein by reference. Since a detailed description of the 

35 scheme may be found in the reference, the scheme will 
only be described in general terms herein. A secret key 
k is chosen from the integers mod q, where q is prime. 
(For notational simplicity, unless otherwise slated, the 
calculations described below for generating the secret 

40 key k are performed mod q). Then, a threshold t is 
determined which represents how many cryptographic 
shares are required to generate the secret key k. This is 
a design choice that would be determined based on the 
particular embodiment of the invention. Next a degree t- 

45 1 polynomial p is chosen at random such that p(0) = k. 
This polynomial is illustrated in Fig. 2. Note that k is 
illustrated as the point at which the polynomial crosses 
the y axis, that is, p(0) = k . As is well known, a polyno- 
mial of degree d can be determined from a knowledge 

50 of d^ points on that polynomial by using well known 
interpolation techniques. Thus, since p is a degree M 
polynomial, knowledge of t points on that polynomial 
are sufficient to determine p. Further, once p is known, 
p(0) can be determined, which is the secret key k. Thus, 

55 by knowing t points on the polynomial, the secret key k 
can be determined as follows. 

[Q032] Given points (x^^)) (jf lP p(x n )) on the 

degree-(M) polynomial p over the integers mod g. the 
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value /c = p(0) can be computed 



p{0)=£cp(x i ) 

where 



c <= n jph, 

Thus, in accordance with one embodiment of the inven- 
tion, the valid cryptographic shares which are stored in 
the share table are points on the polynomial p- Any 
number of polynomial points can be stored in the table, 
with an understand ng that access to any t of those 
points will be enough to generate the secret key k. 
[0033] Referring to Fig. 2, examples of points on the 
polynomial, and therefore valid cryptographic shares in 
the polynomial secret sharing scheme, would be 
(^i.P(xi)),(x 2 .p(x2)),(x3,p(x3)),(x 4 ,p(x4)). These valid 
cryptographic shares would be stored in share table 
locations which, as described above, correspond to 
expected index values which would be generated during 
a legitimate access attempt Invalid cryptographic 
shares, to be stored in share table locations which do 
not correspond to expected index values, can be cho- 
sen from points off the polynomial p, for example points 
201,202,203. 

[0034] Thus, in a straightforward approach, polyno- 
mial points are stored in the share table locations as 
pairs {x it p(x,)). 

[0035] In an alternative to the straightforward 
approach, the cryptographic shares may be com- 
pressed in order to save memory space. In this 
approach, the inherent sequential ordering of the share 
table locations is utilized and points on the polynomial 
are chosen accordingly. Consider the share table 300 
shown in Fig. 3. The share table 300 has 16 locations. 
In the upper left corner of each location is shown the 
standard {row, column) index of the location. In the 
upper right corner of each location is shown the 
sequence number of the location. In a table having n 
columns, the standard (row, column) index can be con- 
verted to the sequence number by the equation: 
sequence # = ((row -1) • n) + column . For example, in 
the table shown in Fig. 3, n = 4, and table entry (3,2) has 
a sequence number of ((3 - 1) -4) + 2 = 10. In this 
embodiment, a valid cryptographic share is entered into 
a table location having sequence number s, by placing 
in that location the value p(s J. Thus, only they value of 
the polynomial point is stored in the table. The x value 
of the polynomial point is the sequence number of the 
share table location and can be derived from the stand- 
ard (row,column) index. For example, in Fig. 3, location 
indexed by (3.2) would contain the value p(10). ft is 



— noted that in this embodiment; prior ;to -generating a - 
valid cryptographic share for storage in the share table, 
the particular location within the share table in which the 
cryptographic share will be stored must be known. The 

s cryptographic share is decompressed using the stored 
/ value in conjunction with the location in which it is 
stored. In this embodiment, the value stored in memory 
is considered a cryptographic share, and is stored in 
compressed format. 

10 [0036] We now describe an embodiment which 
stores encrypted shares in the share table. In accord- 
ance with this embodiment, the share table is stored as 
a plurality of rows (corresponding to the number of 
param eters/i ndices that may be generated) but a single 

15 column. A share table 400 in accordance with this 
embodiment of the invention is illustrated in Fig. 4. In a 
manner similar to that described above in conjunction 
with Fig. 1 , each row of the share table 400 (Fig. 4) cor- 
responds to one of the indices y generated by applying 

20 the function f to a parameter <f>. Recall, as described 

above, /(* v * 2 , * m .) = {VvY 2 . V m }- The 

share table 400 stores cryptographic shares (e.g. points 
on the polynomial) which have been encrypted (by an 
encryption function £) using the expected values of the 

25 indices 1 , y 2 , " " " Ym) as tne encryption key, such that 
. a polynomial point (x p y ; ) is encrypted as 

-expected (*/ » ) * 

30 

(The particular encryption function E would depend on 
the particular implementation.) As such, the stored 
encrypted shares may only be decrypted when an 
expected index value is generated. For example, the 
35 value stored in the share table 400 location correspond- 
ing to \pi is 

^Vi -expected ( X l *y% ) > 

40 

which is a polynomial point (*i,yi) which has been 
encrypted using the expected value of y-i as the encryp- 
tion key. The polynomial point (*i.yi) can only be 
decrypted using the expected value of Yi as the decryp- 

45 ton key. Of course, when an unexpected value for an 
index is used to decrypt an encrypted share, the 
decrypted share will not be a valid polynomial point. 
Thus, in accordance with this embodiment the share 
table will accommodate any number of values which 

so may be generated for an index y • Any index value 
which is not expected will not be able to decrypt the 
stored encrypted share. 

[0037] ft is further noted that in accordance with the 
above described embodiment, a certain amount of 
55 parameter variation may be tolerated by varying the 
degree of the polynomial from which points are chosen 
as shares. As described above in conjunction with Fig. 
2, given a degree M polynomial, the knowledge of f 
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points on that polynomial are^sufficient^lo<letecmin^--p«---^ 
and thus the secret key k. So, in this embodiment, even 
though an attempt may be made to decrypt m crypto- 
graphic shares, the degree of polynomial p may be cho- 
sen such that p may be determined from less than m s 
points on the polynomial. Thus, even if one (or more) of 
the indices y is generated incorrectly, and as a result 
the decryption of the corresponding share results in a 
point which is not on the polynomial, the correct polyno- 
mial may still be determinable using other generated w 
points which are on the polynomial. In this case, in 
which we possess a sufficient number of valid points on 
the polynomial, together with some invalid points off the 
polynomial, well known techniques may be used to 
exclude the bad points in the determination of p. For 15 

example, various subsets of the generated points may.. 

be used in multiple attempts to determine p, until some 
pattern emerges which indicates the valid and invalid 
points. 

[0038] The above described embodiments were 20 
described assuming that the secret sharing scheme 
being used was a polynomial secret sharing scheme. 
However, other types of secret sharing schemes, some 
of which are described below, may also be used. 
[0039] In another embodiment of the invention, the 25 
polynomial scheme is modified such that the secret key 
k is defined as k = g p {0) mod r where r is prime, r~1 is 
a multiple of q, and g has order q mod r, i.e., the set {g° 
mod r.o; 1 mod r,g* mod r,...J contains q elements. 
Rather than storing p(*i), p(x£ t ... as cryptographic 30 
shares in the share table, instead the values 



g** } modr^g**** modr,... 
are stored as the cryptographic shares. Given pairs 
(Xi,**^ modr),...,(x,,g' ( *' ) modr), 



the value k can be computed as 



J|(g p(x,) mod r) c, modr 
/=1 



35 



40 



45 



where c, is as defined above. 

[0040] In another embodiment of the invention, the 
secret key k is computed as the determinant of am m x so 
m matrix over the integers mod q. The cryptographic 
shares are vectors that are used to compose the matrix. 
For ease of description, we describe this embodiment 
for a table with two columns. In this embodiment, ran- 
dom column vectors tv? , each with m elements 55 
taken from the integers mod q. are selected such that 
k = tv^ | , i.e., /c is the determinant of the matrix 

composed by these vectors. Another m random vectors 



U/ u m are then computed so that * 



vbs{0.1} m :|i7? (1) u b J my \ = ^ 



where u b{i) = 5, if 0 and u b{n = Z7, if b{i) = 1. 
Here, b{i) denotes the Mh bit of b, and e, denotes the 
unit vector with a 1 in position / and 0 in all other posi- 
tions. Then, vectors w\ are computed as 

iv] = ( vv° tv°) • Uf. The vector iv*) is the valid 

cryptographic share for the first column of the /-th row of 
the share table, and similarly w] is the valid crypto- 
graphic share for the second column of the /-th row of 
the share table. It then follows that for any b e {0,1} m , 
\w b ® ..... w b ^ m) | = k . That is. with one valid crypto- 
graphic share from each row, the secret- key k can be 
computed. 

[0041] An efficient algorithm to generate u h ....u m is 

as follows. An upper-triangular matrix W = (u\ u m ) 

is chosen that has 1 for each diagonal element and ran- 
dom integers mod q above the diagonal. Then, 
(t/|,...,i7 m )= n- L/'»n -1 where n = (n l ,... t H m ) is a 
permutation matrix (i.e., the identity matrix with columns 
permuted). 

[0042] We now describe a keystroke features 
authentication embodiment of the invention in which the 
inventive techniques are used to provide authentication 
in a computer system based on an entered password 
and keystroke features measured during entry of the 
password. In this embodiment, each user is associated 
with a password, identified as pwd. Further, when a 
user enters the pwd, a certain number, m, of features of 
the user's keystroke features are measured or derived. 
A measured feature is one that is actually measured. 
For example, rf the pwd is 8 characters, in one illustra- 
tive embodiment there are 15 measured features, 
including 8 keypress durations and 7 latencies between 
keypresses. A derived feature is one which is not 
directly measured, but is derived from a measured fea- 
ture (e.g., the ratio of the 7 th and 8 th keypress dura- 
tions). Assume for purposes of this description that 
there are 15 features (m = 15). In this embodiment a 
share table having m rows and 2 columns is used. Such 
a share table is shown in Rg. 5 and will described in fur- 
ther detail below. 

[0043] Next a key k is chosen and cryptographic 
shares are generated using a secret sharing scheme as 
described above. Assume a polynomial secret sharing 
scheme is used and that the actual points of the polyno- 
mial are stored in the share table. Initially, 30 valid cryp- 
tographic shares are generated and each location in the 
share table 500 is initialized to contain a valid crypto- 
graphic share. In order to add an additional measure of 
security, all values in share table 500 are encrypted 
using pwd as the encryption key, and may be decrypted 
using pwd as the decryption key. 
[0044] The function / which generates the incfices \r 
will now be described. For each measured keystroke 



8 



15 

feature parameter there is an associated threshold /?, 
which is used during the generation of the index \\f, for 
the particular measured feature. The function f is 
defined as follows: 

where 




0 if^<A, 
lif*>* 



Thus, for each parameter representing a measured key- is 
stroke feature, the corresponding index generated by - 
the function will be 0 if the parameter is less than the 
associated threshold and 1 if the parameter is greater 
than or equal to the associated threshold. The threshold 
h f may, for example, be a time value (e.g. 1 00ms). 20 
[0045] Each time a user enters a pwd each of the 
15 keystroke features will be measured as a parameter 
<|>,. The function / will compare the parameter to the 
threshold h, associated with that measurement and will 
generate \|r, as having a value of 0 or 1 depending on 25 
which side of the threshold <!>, falls on. The value of is 
then used as an index into the /th row of the table 500. 
The left column of row / is chosen if y, is 0, and the right 
column of row / is chosen if y,- is 1 . The value in the 
selected entry of the /th row is used as the crypto- 30 
graphic share from that particular row. After crypto- 
graphic shares have been selected from all 15 rows, 
they are used as described above to generate the key k. 
As described above, the cryptographic shares must first 
be decrypted using pwd prior to using them to generate 35 
the key k . 

[0046] Since all share table 500 locations initially 
have valid cryptographic shares, initial access attempts 
which provide the correct pwd (to allow decryption of 
the share table 500) will result in the generation of the 40 
correct key k. However, during subsequent access 
attempts, the access structure (i.e., the sets of entries in 
the share table which enable generation of the crypto- 
graphic key) defined by share table 500 is reduced 
based on the typing patterns of the user. This is accorrv- 45 
plished through use of a history table, which stores the 
parameters fa.fe, - • for a given number of previ- 
ous successful access attempts for each user. An illus- 
trative history table 600 is shown in Fig. 6. As the history 
table 600 is populated with parameters, certain typing so 
patterns of the associated user can be determined. 
Each of the measured parameters can be analyzed to 
determine if one of the parameters is associated with a 
distinguishing feature. A distinguishing feature is one 
which can be used to distinguish this user from other 55 
users. If a parameter ft is consistently substantially 
more or less than the associated threshold h h then the 
associated feature is considered a distinguishing fea- 
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ture, and the share table 500 may be rebuilt to make use-^ 
of this distinguishing feature as follows. If a parameter <)>/ 
in the history table 600 is consistently on one side of the 
associated threshold h h then it is assumed that this 
parameter 4,- will continue to be on the same one side of 
the associated threshold h, during subsequent legiti- 
mate access attempts by the same user. As such, the 
entry in the share table 500 corresponding to the other 
side of the threshold for this parameter will be changed 
to contain an invalid cryptographic share. Thus, the 
access structure defined by share table 500 is thus 
reduced and in this way the share table 500 is modified 
to reflect the typing patterns of the authorized user. 
[0047] The history table can be analyzed and corre- 
sponding changes made to the share table 500 on a 
.periodic basis. This may be done after every successful 
access by the user, after some number of successful 
accesses, or after some time period has elapsed. In an 
advantageous embodiment, when making changes to 
the share table 500, the key k remains the same, but the 
entire table is rebuilt using new cryptographic shares 
which are points on a new polynomial p. In this manner 
the share table, and therefore the access structure, 
dynamically adjust based on the user's typing patterns. 
Of course, depending on the typing patterns of the user, 
the share table may be modified to contain more, or 
less, valid cryptographic shares. 
[0048] Also, as described above, the degree of the 
polynomial p may be chosen to allow generation of the 
correct cryptographic key even tough one (or more) of 
the selected share table locations contain an invalid 
cryptographic share. 

[0049] Thus, in order for the correct k to be gener- 
ated, the user must enter the correct pwd (so that the 
cryptographic shares in the share table can be 
decrypted), and the pwd must be entered using key- 
stroke features that will result in a sufficient number of 
valid cryptographic shares being chosen from the share 
table. A user could then be authenticated on the basis of 
whether the correct secret key k was generated. For 
example, this could be verified by decrypting a file with 
k and seeing if a correctly formatted file results, or by 
hashing k and comparing the result to a previously 
stored hash value. 

[0050] We have found that it is advantageous to fur- 
ther implement an error tolerance scheme, as described 
above, in the keystroke features authentication embodi- 
ment. More particularly, we have found it advantageous 
to simultaneously vary the selection of two share table 
500 locations in an attempt to generate the repeatable 
key. The variation consists of, for each of two share 
table rows, choosing the share from the column other 
than the column actually indexed by the associated 
index generated by the function f. Thus, if a repeatable 
key is not generated correctly based on the originally 
generated indices, then two rows of the share table 500 
are chosen for variation. If the repeatable key is still not 
generated correctly, then another two rows are chosen 
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-for-variation. This continues -until the correct *repeatable Y tv. > 
key is generated or until all two-row combinations have 
been exhausted. 

[0051] The repeatable key k may also be used as 
an encryption key to encrypt the user's data in the com- 5 
puter. 

[0052] We now describe an embodiment of the 
invention in which the inventive techniques are used to 
protect a database which stores private information of 
individuals (e.g., convicted felons) which is only meant 10 
to be used for legitimate criminal investigation pur- 
poses. For example, if a criminal is suspected of a crime 
the database record for only that particular criminal 
should be accessible by investigators. As such, each 
record in the database is encrypted and may only be 75 
decrypted using a key which is generated using -DN A ->.v~ 
measurements of the associated person. This is to 
assure that prior to accessing potentially private infor- 
mation about a person, the person's DNA has already 
been recovered from a crime scene, thus making the 20 
person a suspect in a crime. While a person's DNA is 
not dynamic, imprecise measurement techniques or 
imprecise samples may result in having incomplete 
DNA measurements. In accordance with the techniques 
of the present invention, a repeatable key to unlock the 25 
database records could be 

[0053] This embodiment of the invention utilizes the 
technique of storing shares generated with this incom- 
plete DNA information.encrypted with expected index 
values, which was described above in conjunction with 30 
Fig. 4. When a record containing sensitive information is 
to be stored in the database, assume that certain DNA 
measurement of a person are known. Referring again to 
Fig. 4, assume that m DNA measurements have been 
taken. An appropriate polynomial p is chosen of degree. 35 
t-1, where it is desired that knowledge of t points on the 
polynomial will allow access to the record, where f £ m. 
The record is encrypted using a key k which is the point 
on the polynomial p which crosses the y axis, and the 
encrypted record is stored in the database. A share 40 
table which would allow the record to be decrypted in 
appropriate circumstances is generated as follows. 
Each DNA measurement is assigned a sequence 
number (1, 2, ... m) which correspond to parameters 
♦i-fe * * **m representing those measurements. A 45 
function / is chosen such that 
'(<h.*2.- • •* m .) = tM'i.y2^ * -v m }. For example, 
the function f may be a hash function. Using knowledge 
of the expected values of " * *Wm together with 
knowledge of the polynomial p, points on the potyno- so 
mial p are encrypted using expected index values as 
described above in conjunction with Rg. 4. 
[0054] Thereafter, the stored record of a person 
may only be decrypted by someone in possession of the 
DNA of that person. In order to decrypt the record, the 55 
appropriate sequence of DNA measurements are made 
in order to generate the parameters ^.fc, * * m $ m rep- 
resenting those measurements. The function f is 



-applied to the parameters ifyfes*-' • 4^ in order, to gen- 
erate indices Yi .^2. * * * Vm such that 
• •♦J = tVi.^' • *V m }- Each gener- 
ated index y, is used to decrypt the corresponding 
encrypted share 



^-expected 



stored in the rth row of the share table in order to gener- 
ate the polynomial point (*/,//). The set of generated 
polynomial points may be used as described above in 
order to generate the cryptographic key k t which is the 
point at which the polynomial crosses the y axis. 
[0055] The foregoing Detailed Description is to be 
understood as being in every respect illustrative and 
exemplary, but not restrictive, and the scope of the 
invention disclosed herein is not to be determined from 
the Detailed Description, but rather from the claims as 
interpreted according to the full breadth permitted by 
the patent laws. It is to be understood that the embodi- 
ments shown and described herein are only illustrative 
of the principles of the present invention and that vari- 
ous modifications may be implemented by those skilled 
in the art without departing from the scope of the inven- 
tion. 

Claims 

1 . A method for generating a cryptographic key using 
at least one parameter comprising the steps of: 

retrieving at least one cryptographic share from 
a memory location identified as a function of 
said at least one parameter; and 
generating a cryptographic key based on said 
at least one cryptographic share. 

2. The method of claim 1 wherein said at least one 
retrieved cryptographic share is encrypted, said 
method further comprising the step of: 

decrypting said at least one cryptographic 
share. 

3. The method of claim 2 wherein said step of decrypt- 
ing comprises the step of: 

decrypting using a value computed as a func- 
tion of said at least one parameter. 

4. The method of claim 1 wherein said at least one 
retrieved cryptographic share is compressed, said 
method further comprising the step of: 

decompressing said at least one cryptographic 
share. 
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The methodof claim 4 wherein said step of decom- ^16. The method of claim 1 1 further comprising the-step 
pressing comprises the step of: of: 



decompressing said at least one cryptographic 
share using an index of said memory location. 5 

The method of claim 1 wherein said at least one 
parameter represents at least one measurement of 
a physical property. 

it 

The method of claim 1 further comprising the step 
of: 



generating a plurality of indices as a function of 
said keystroke features; and 
using said plurality of indices to identify loca- 
tions within said data structure from which to 
retrieve said cryptographic shares. 

17. The method of claim 16 wherein said step of gener- 
ating a plurality of indices as a function of said key- 
stroke features comprises the step of: 



generating at least one index as a function of 
said at least one parameter; and 
using said-index to.identrfy said memory loca- 
tion. 

The method of claim 7 further comprising the step 
of: 



20 



for each of said keystroke features, generating 
one of two indices as a function of a threshold 
■ - -• value. •• • — - 

1a The method of claim 16 wherein said step of gener- 
ating a plurality of indices as a function of said key- 
stroke features comprises the step of: 



retrieving a cryptographic share from a mem- 
ory location in the vicinity of said memory loca- 
tion identified by said index 

25 

9. The method of claim 7 wherein said step of gener- 
ating at least one index comprises the step of gen- 
erating the same index for a set of parameter 
values. 

30 

1 0. The method of claim 9 wherein said set of parame- 
ter values are within a predetermined range of val- 
ues. 

1 1 . A method for generating a cryptographic key com- 35 
prising the steps of: 

measuring a plurality of keystroke features dur- 
ing entry of a password; 

retrieving from a data structure a plurality of 40 
cryptographic shares as a function of said plu- 
rality of keystroke features; and 
generating a cryptographic key using said cryp- 
tographic shares. 

45 

12. The method of claim 11 wherein said cryptographic 
shares represent points on a polynomial. 

13. The method of claim 11 wherein said cryptographic 
shares represent vectors. so 

14. The method of claim 1 1 wherein said cryptographic 
shares are compressed. 

1 5. The method of claim 1 4 wherein said cryptographic ss 
shares comprise y values of points on a polynomial 
and the corresponding x values are derivable from 

a data structure location. 



for each of said keystroke features, generating 
one of a plurality of indices as a function of a 
plurality of threshold values. 

1 9. The method of claim 1 1 wherein said cryptographic 
shares stored in said data structure are encrypted, 
said method further comprising the step of: 

decrypting said cryptographic shares using 
said password. 

20. The method of claim 11 further comprising the 
steps of: 

maintaining a history file containing information 
relating to prior successful key generation 
attempts; and 

based on said history file, storing invalid cryp- 
tographic shares in data structure locations 
which are not expected to be accessed during 
subsequent legitimate key generation 
attempts. 

21. A method for generating a cryptographic key using 
a plurality of parameters having a sequence and 
representing physical measurements, said method 
comprising the steps of: 

for each of said plurality of parameters: 

retrieving an encrypted cryptographic 
share from a memory location as a func- 
tion of the sequence of said parameter; 
decrypting said encrypted cryptographic 
share with a function of said parameter; 
and 
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. ;r^ generating a -cryptographic key- -using said 
decrypted cryptographic shares. 

22. The method of claim 21 wherein said physical 
measurements are measurements of DNA. s 

23. The method of claim 21 wherein said function of 
said parameter used to decrypt said encrypted 
cryptographic share is a hash function. 

w 
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